[Fedora-directory-commits] ldapserver/ldap/servers/slapd sasl_map.c, 1.9, 1.10 saslbind.c, 1.28, 1.29 slapi-plugin.h, 1.33, 1.34 slapi-private.h, 1.28, 1.29 util.c, 1.17, 1.18

Richard Allen Megginson rmeggins at fedoraproject.org
Wed Nov 5 18:21:08 UTC 2008 

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/servers/slapd

Modified Files:
	sasl_map.c saslbind.c slapi-plugin.h slapi-private.h util.c 
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain.  I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth.  If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id.  This search could not be chained due to the way it was coded.  So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID.  This allows the sasl code to work with a chained backend.  In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents.  I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes



Index: sasl_map.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_map.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- sasl_map.c	30 Jun 2008 17:28:16 -0000	1.9
+++ sasl_map.c	5 Nov 2008 18:21:06 -0000	1.10
@@ -440,6 +440,8 @@
 	}
 	if (matched) {
 		if (matched == 1) {
+			char escape_base[BUFSIZ];
+			char escape_filt[BUFSIZ];
 			/* Allocate buffers for the returned strings */
 			/* We already computed this, so we could pass it in to speed up a little */
 			size_t userrealmlen = strlen(sasl_user_and_realm); 
@@ -448,7 +450,11 @@
 			*ldap_search_filter = (char *) slapi_ch_malloc(userrealmlen + strlen(dp->template_search_filter) + 1);
 			slapd_re_subs(dp->template_base_dn,*ldap_search_base);
 			slapd_re_subs(dp->template_search_filter,*ldap_search_filter);
-			LDAPDebug( LDAP_DEBUG_TRACE, "mapped base dn: %s, filter: %s\n", ldap_search_base, ldap_search_filter, 0 );
+			/* these values are internal regex representations with lots of
+			   unprintable control chars - escape for logging */
+			LDAPDebug( LDAP_DEBUG_TRACE, "mapped base dn: %s, filter: %s\n",
+					   escape_string( *ldap_search_base, escape_base ),
+					   escape_string( *ldap_search_filter, escape_filt ), 0 );
 			ret = 1;
 		} else {
 			LDAPDebug( LDAP_DEBUG_ANY, "sasl_map_check : re_exec failed\n", 0, 0, 0 );


Index: saslbind.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- saslbind.c	4 Nov 2008 23:21:10 -0000	1.28
+++ saslbind.c	5 Nov 2008 18:21:06 -0000	1.29
@@ -81,6 +81,21 @@
     slapi_ch_free(&ptr);
 }
 
+static Slapi_ComponentId *sasl_component_id = NULL;
+
+static void generate_component_id()
+{
+    if (NULL == sasl_component_id) {
+        sasl_component_id = generate_componentid(NULL /* Not a plugin */,
+                                                 COMPONENT_SASL);
+    }
+}
+
+static Slapi_ComponentId *sasl_get_component_id()
+{
+    return sasl_component_id;
+}
+
 /* 
  * sasl library callbacks
  */
@@ -238,20 +253,23 @@
 )
 {
     Slapi_Entry **entries = NULL;
-    Slapi_PBlock *pb;
+    Slapi_PBlock *pb = NULL;
     int i, ret;
 
     LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search basedn=\"%s\" filter=\"%s\"\n", basedn, filter, 0);
 
     /* TODO: set size and time limits */
-
-    pb = slapi_search_internal(basedn, scope, filter, 
-                               ctrls, attrs, attrsonly);
-    if (pb == NULL) {
-        LDAPDebug(LDAP_DEBUG_TRACE, "null pblock from slapi_search_internal\n", 0, 0, 0);
+    pb = slapi_pblock_new();
+    if (!pb) {
+        LDAPDebug(LDAP_DEBUG_TRACE, "null pblock for search_internal_pb\n", 0, 0, 0);
         goto out;
     }
 
+    slapi_search_internal_set_pb(pb, basedn, scope, filter, attrs, attrsonly, ctrls, 
+                                 NULL, sasl_get_component_id(), 0); 
+
+    slapi_search_internal_pb(pb);
+
     slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
     if (ret != LDAP_SUCCESS) {
         LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search failed basedn=\"%s\" "
@@ -261,7 +279,11 @@
     }
 
     slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
-    if (entries == NULL) goto out;
+    if ((entries == NULL) || (entries[0] == NULL)) {
+        LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found no entries\n",
+                  0, 0, 0);
+        goto out;
+    }
 
     for (i = 0; entries[i]; i++) {
         (*foundp)++;
@@ -546,6 +568,9 @@
     LDAPDebug(LDAP_DEBUG_TRACE, "sasl service fqdn is: %s\n", 
                   serverfqdn, 0, 0);
 
+    /* get component ID for internal operations */
+    generate_component_id();
+
     /* Set SASL memory allocation callbacks */
     sasl_set_alloc(
         (sasl_malloc_t *)slapi_ch_malloc,
@@ -1016,4 +1041,3 @@
 
     return;
 }
-


Index: slapi-plugin.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-plugin.h,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- slapi-plugin.h	4 Nov 2008 18:23:08 -0000	1.33
+++ slapi-plugin.h	5 Nov 2008 18:21:06 -0000	1.34
@@ -1103,6 +1103,7 @@
     const char *mech, /* name of mechanism */
     LDAPControl **serverctrls, /* additional controls to send */
     LDAPControl ***returnedctrls, /* returned controls */
+    struct timeval *timeout, /* timeout */
     int *msgidp /* pass in non-NULL for async handling */
 );
 


Index: slapi-private.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- slapi-private.h	24 Oct 2008 22:36:58 -0000	1.28
+++ slapi-private.h	5 Nov 2008 18:21:06 -0000	1.29
@@ -720,6 +720,7 @@
 #define COMPONENT_RESLIMIT	"cn=resource limits,"COMPONENT_BASE_DN
 #define COMPONENT_PWPOLICY	"cn=password policy,"COMPONENT_BASE_DN
 #define COMPONENT_CERT_AUTH	"cn=certificate-based authentication,"COMPONENT_BASE_DN
+#define COMPONENT_SASL		"cn=sasl,"COMPONENT_BASE_DN
 
 /* Component names for logging */
 #define SLAPI_COMPONENT_NAME_NSPR	"Netscape Portable Runtime"


Index: util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- util.c	4 Nov 2008 18:23:08 -0000	1.17
+++ util.c	5 Nov 2008 18:21:06 -0000	1.18
@@ -974,7 +974,17 @@
 		ssl_strength = LDAPSSL_AUTH_CERT;
 	    }
 
-	    if (ldapssl_set_strength(ld, ssl_strength) != 0) {
+	    /* Can only use ldapssl_set_strength on and LDAP* already
+	       initialized for SSL - this is not the case when using
+	       startTLS, so we use NULL to set the default for all
+	       new connections */
+	    if (secure == 1) {
+		rc = ldapssl_set_strength(ld, ssl_strength);
+	    } else {
+		rc = ldapssl_set_strength(NULL, ssl_strength);
+	    }
+
+	    if (rc != 0) {
 		int prerr = PR_GetError();
 
 		slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
@@ -1052,6 +1062,7 @@
     const char *mech, /* name of mechanism */
     LDAPControl **serverctrls, /* additional controls to send */
     LDAPControl ***returnedctrls, /* returned controls */
+    struct timeval *timeout, /* timeout */
     int *msgidp /* pass in non-NULL for async handling */
 )
 {
@@ -1125,8 +1136,8 @@
 	if (msgidp) { /* let caller process result */
 	    *msgidp = mymsgid;
 	} else { /* process results */
-	    if (ldap_result(ld, mymsgid, LDAP_MSG_ALL,
-			    (struct timeval *)0, &result) == -1) {
+            rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, timeout, &result);
+	    if (-1 == rc) { /* error */
 		rc = ldap_get_lderrno(ld, NULL, NULL);
 		slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
 				"Error reading bind response for id "
@@ -1135,8 +1146,18 @@
 				mech ? mech : "SIMPLE",
 				rc, ldap_err2string(rc));
 		goto done;
-	    }                
-	    
+	    } else if (rc == 0) { /* timeout */
+		rc = LDAP_TIMEOUT;
+		slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
+				"Error: timeout after [%d.%d] seconds reading "
+				"bind response for [%s] mech [%s]\n",
+				timeout ? timeout->tv_sec : 0,
+				timeout ? timeout->tv_usec : 0,
+				bindid ? bindid : "(anon)",
+				mech ? mech : "SIMPLE");
+		goto done;
+	    }
+	    /* if we got here, we were able to read success result */
 	    /* Get the controls sent by the server if requested */
 	    if (returnedctrls) {
                 if ((rc = ldap_parse_result(ld, result, &rc, NULL, NULL,

More information about the Fedora-directory-commits mailing list